Adding SSL certificate from CloudFlare


in provides a free valid SSL certificate.
After installing this certificate, can you change the CloudFlare SSL settings from “Full” to “Strict.”

Create a .pem file for the server certificate

nano MyDomain-com-server.pem

Paste and copy the server certificate from into this file. Then save the file.
Move the server certificate to the correct folder:

sudo mv MyDomain-com-server.pem /etc/ssl/certs/MyDomain-com-server.pem

Then create the private certificate:

nano MyDomain-com-private.pem

Move the server certificate to the right folder:

sudo mv MyDomain-com-private.pem /etc/ssl/private/MyDomain-com-private.pem

Modify the Apache config file to use the certificates

The config files are located at:

cd /etc/apache2/sites-available

Open the config file:

sudo nano 01-MyDomain1-com.conf

Find the lines:

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Change the lines to reflect your newly created credentials. It would the look like this:

SSLCertificateFile /etc/ssl/certs/MyDomain-com-server.pem 
SSLCertificateKeyFile /etc/ssl/private/MyDomain-com-private.pem


Rights and ownership on certificates

Directory permissions should be 710 for the private keys.

File permissions on the certificates 644 for the private keys.

It is recommended that the directory and files should be owned by root

Change the owner and group:

sudo chown root:ssl-cert -R /etc/ssl/private

Change the permissions on files:

sudo find /etc/ssl/private -type f -exec chmod 644 {} \;

Change the permissions on folders:

sudo find /etc/ssl/private -type d -exec chmod 710 {} \;


All the files in the cert folders should be owned by root

sudo chown root:root -R /etc/ssl/certs/

Short version of adding the certs

Private cert
sudo mv MyDomain-com-private.pem /etc/ssl/MyDomain-com-private.pem

sudo chmod 644 /etc/ssl/private/MyDomain-com-private.pem

sudo chown root:ssl-cert /etc/ssl/private/MyDomain-com-private.pem
Server cert
sudo mv MyDomain-com-server.pem /etc/ssl/certs/MyDomain-com-server.pem

sudo chown root:root -R /etc/ssl/certs/MyDomain-com-server.pem

sudo chmod 644 /etc/ssl/certs/MyDomain-com-server.pem


Check the Apache config file

sudo apachectl configtest

Restart Apache web server

sudo service apache2 restart

Check the different Apache error logs

It is alway a good habit to have a look at the error logs.

cd /var/log/apache2/
sudo nano error.log
sudo nano 01-mydomain-com-error.log